[英]In spring security, how to find if the session has been invalidated by multiple logins?
When the user logs in with the same userid from another computer, without logging off from the first, the default behaviour is that the first session is invalidated. 当用户使用相同的用户名从另一台计算机登录而没有从第一台计算机注销时,默认行为是第一个会话无效。 Now, when the user goes back to the first computer , I want to tell him that his session has been invalidated because he has logged on from some other computer. 现在,当用户返回第一台计算机时 ,我想告诉他,由于他已经从其他计算机登录,因此他的会话已失效。 How can I do that ? 我怎样才能做到这一点 ?
I have thought of two approaches : 我想到了两种方法:
sessionRegistry
) and when the user goes back to login from the first computer, check whether the current session has the boolean flag as true. 允许多次登录,并且当用户从第二台计算机登录时,向所有会话(其ID是从sessionRegistry
获得的)添加一个布尔标志,并且当用户从第一台计算机返回登录时,请检查当前会话布尔标志为true。 If yes, invalidate the session, and send the user a message. 如果是,则使会话无效,并向用户发送消息。 This will be done in a CustomSuccessHandler
. 这将在CustomSuccessHandler
完成。 Flipside : Its probably not possible to obtain the session object via the session id (which is all what session registry provides) 缺点 :可能无法通过会话ID(这是会话注册表提供的所有功能)获取会话对象
Flipside : It doesn't seem possible to add invalidation reasons while invalidating a session, and I don't know how to access this information (if it exists) from the first computer Flipside :在使会话无效时似乎无法添加无效原因,并且我不知道如何从第一台计算机访问此信息(如果存在)
Don't allow multiple logins. 不允许多次登录。 You can easily achieve this using spring security. 您可以使用Spring Security轻松实现这一目标。
Add concurrent-session-control
to spring security. 将concurrent-session-control
添加到Spring安全性。
<concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="false" expired-url="/jsp/invalidate.do"/>
//you can also set expired-url to your custom invalidate page rather than create a mapping
Create custom requestMapping for invalidate user. 为无效用户创建自定义requestMapping。
@RequestMapping( value = "/invalidate.do", method = RequestMethod.GET )
public String invalidate(HttpServletRequest request)
{
request.setAttribute("invalidate",true);
return "login";
}
Then your login page 然后你的登录页面
<c:if test="${not empty invalidate}">
<script type="text/javascript">
alert("You have been Logged Out. Someone signed in using your account.");
</script>
</script>
Another way is to set your error-if-maximum-exceed
to true
,so it will flag error if user tries to login into another session. 另一种方法是将您的error-if-maximum-exceed
为true
,因此如果用户尝试登录另一个会话,它将标记错误。
<security:session-management>
<security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/>
</security:session-management>
Then create a custom message in your message.properties 然后在您的message.properties中创建自定义消息
ConcurrentSessionControlStrategy.exceededAllowed=You have been Logged Out. Someone signed in using your account.
Hope it helps. 希望能帮助到你。
Links: http://codehustler.org/blog/spring-security-tutorial-form-login/ Maximum concurrent users in Spring Security 链接: http : //codehustler.org/blog/spring-security-tutorial-form-login/ Spring Security中的最大并发用户数
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.